1. PREVENTION AND AVOIDANCEThe following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautionsIt is possible to mitigate the risk of infection by being careful about clicking links found on websites, such as blogs and forums where there is potentially little control or quality checks on the content. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online website rating services such as safeweb.norton.com to see if the site is deemed safe to visit.

Users should be aware that email messages with malicious content may appear to have been sent by people known to them, and as such the fact that the sender is known does not guarantee the safety of any particular message. Users should exercise caution when opening attachments in email messages, especially if:

The sender is not known or unexpected

Given the sender, the characteristics of the email are unusual

The email contains a link to an unknown domain or an executable file

Essentially, users should avoid opening email attachments unless their authenticity can be verified.

1.2 Patch operating system and softwareUsers are advised to ensure that their operating systems and any installed software are fully patched, and antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.

1.3 Address blockingThis threat communicates with a remote control server. Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:

213.155.4.112

213.155.4.80

213.155.6.32

213.155.6.80

213.155.6.85

58.65.235.41

78.109.29.112

78.109.29.116

91.207.61.12

abbcp.cn

dollaradmin.ru

dollarpoint.ru

ghthchinalimited.com.cn

mudstrang.ru

turokgame.cn

verringo.cn

2. INFECTION METHODBredolab has been observed using the following two primary methods of distribution:

Drive-by download

Email

A more detailed description of how the threat employs these techniques is provided in the following sections.

2.1 Drive-by downloadTrojan.Bredolab is known to be spread by websites that exploit known vulnerabilities in Web browsers and their associated plugins. These exploits are often served by exploit kits available in the underground market (e.g. Eleonore, Fragus, Phoenix) and as such need not necessarily be crafted by individuals with a high degree of technical ability. The exploits used by these kits may vary as they are modular by design. This means that the attackers can buy new exploits for their website as they become available for purchase.

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent. This method can also use more than one exploit to target the following technologies in order to further its chance of success:

ActiveX

DirectShow

Flash

PDF

Snapshotviewer

Furthermore, a target computer is typically bombarded with many vulnerabilities until one is successful in compromising the computer. In doing this, the attackers illustrate their determination to break into the computer by any means possible.

2.2 EmailThe email distribution method employs social engineering tricks to convince the user to open the attachment of the email. All of the emails are crafted in such a way as to appear as legitimate as possible in order to deceive the user.

Several themes have thus far been witnessed, including offering the user free money, informing them of a delivery failure, or requesting that they update their Facebook password. It is also common for the threat to reuse these themes afterward. For example, around May of 2009, it used a theme where it posed as an invoice for a Western Union money transfer. Later on, at the end of August 2009, we started seeing the same theme being used again. It was another email pretending to be an email notice for a Western Union money transfer but with slight variations in the attachment name and message body.

The attachment is typically a .zip file. This should set off alarm bells among the more cautious of Internet users straight away. The .zip file typically contains an .exe file that has a common program icon, e.g. Microsoft Excel, Microsoft Word. The name of the .zip file is usually the same as the .exe file within it. The threat executes its payload once the .exe file is opened.

When it was found that Bredolab emails were coming from many different sources, it was suspected that the Bredolab emails were being sent out from compromised computers that have likely been infected by a spam bot or similar malware. In fact, due to the propensity of malware nowadays to 'help' each other in their propagation, there is a good possibility that there is more than one spam bot or malware distributing Bredolab emails, e.g. Trojan.Pandex (a.k.a. Pushdo/Cutwail).

Known topics usedThe following are topics that Symantec have observed in use in emails propagating this threat family.

Western Union Free Money

UPS delivery failures

Shop.corsair.com shipping confirmations

Facebook password changes

The following are some representative samples of the types of emails that are used to help propagate this threat.

SubjectWestern Union Transfer MTCN: [RANDOM NUMBER]

Email bodyDear client!

The money transfer you have sent on the 9th of April has not been received by the recipient.
Due to the Western Union agreement the transfers which are not collected in [NUMBER] business days are to be returned to sender.
To collect cash you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

We were not able to deliver postal package you sent on the 14th of March in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office.

We were not able to deliver the postal package which was sent on the 26th of April in time
because the addressee's address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

SubjectUPS Tracking Number W1EYBUS

Email bodyHello!

We were not able to deliver the package which was sent on the 24th of July in time because the recipients address is incorrect.
Please print out the invoice copy attached and collect the package at our department.

Your United Parcel Service of America

AttachmentUPSNR_05fa2628.zip

SubjectShipping confirmation for order 71766

Email bodyHi!

Thank you for shopping at our internet store!
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered Apple iMac MB419LL.
You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.

We hope you enjoy your order!
Shop.corsair.com

Attachment
One of the following:

D[NINE CHARACTERS].zip

M[EIGHT CHARACTERS].zip

SubjectOne of the following:

Facebook Update Tool

Facebook account update

Facebook Account Update

Facebook Password Reset Confirmation.

Facebook Password Reset Confirmation. Customer Message.

Facebook Password Reset Confirmation. Customer Message.

Facebook Password Reset Confirmation. Customer Support.

Facebook Password Reset Confirmation. Important Message

Facebook Password Reset Confirmation. Support Message.

Facebook Password Reset Confirmation. Your Support.

Email bodyHey [EMAIL USER NAME],

Because of measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
The Facebook Team

AttachmentFacebook_Password_[FIVE RANDOM CHARACTERS].zip

2.3 WebsitesThe following addresses have been known to host or facilitate the spreading of this threat family.

213.155.4.112

213.155.4.80

213.155.6.32

213.155.6.80

213.155.6.85

58.65.235.41

78.109.29.112

78.109.29.116

91.207.61.12

abbcp.cn

dollaradmin.ru

dollarpoint.ru

ghthchinalimited.com.cn

mudstrang.ru

turokgame.cn

verringo.cn

The following vulnerabilities have been used in spreading this threat through websites:

3. FUNCTIONALITYThe primary function of this threat is to download more malware on to the compromised computer.

Once the Trojan is executed, it opens communication with a remote command and control (CnC) server. All communication is encoded in order to avoid attracting attention to itself and alerting antivirus detection. It then sends a request in order to download files (which it calls entities) from this server. The files are then either executed immediately or saved to the following location and then executed:

%Windir%\Temp\wpv[TWO RANDOM DIGITS][ENTITIY ID].exe

Note: Where [ENTITY ID] is a ten-digit decimal number that the threat assigns to each file that is downloaded in order to identify and keep track of it.

A report is then sent to the remote controller about which files executed successfully. This information is stored in one of the following log files created by the threat:

ProcessesThe threat attempts to inject itself into the following processes:

explorer.exe

svchost.exe

3.2 Network activityThe threat may perform the following network activities.

Communications with a command and control (C&C) serverWhen the threat executes, it opens communication with a C&C server. The Trojan sends a request to download files on to the compromised computer. It then sends a report back to the remote server detailing the success or failure of downloading each of the files. The following addresses have been known to be associated with this threat:

213.155.4.112

213.155.4.80

213.155.6.32

213.155.6.80

213.155.6.85

58.65.235.41

78.109.29.112

78.109.29.116

91.207.61.12

abbcp.cn

dollaradmin.ru

dollarpoint.ru

ghthchinalimited.com.cn

mudstrang.ru

turokgame.cn

verringo.cn

3.3 Other functionality

Multiple layers of packingBredolab is frequently repackaged to evade detection by antivirus software. A different distribution and packing scheme is used depending on the infection vector being used to spread the threat.

The packing scheme used for emails generally differs from the scheme used for website based infections. Furthermore, it is likely that there are several distribution teams being used for both infection vectors. Each team may employ differing additional steps to add further obfuscation to the final product file. This results in files with several layers of armor, which helps it to evade packer-based detections.

Initially, Bredolab is packed with UPX. It is then embedded into an injector component, which is also packed with UPX. This pre-packed threat is then sent to the distribution teams. A different distribution team is used depending on the delivery method, i.e. either email or drive-by download.

When distributed using email, the Trojan is typically packed using custom packers that are armored with anti-debugging and anti-emulation code. It also uses encryption to further obfuscate itself and some of its data. Once the Trojan has been re-packaged with different characteristics and encryption, it is then distributed through spam email.

However, when being distributed through a website, the threat is usually coupled with server-side polymorphism - this means each time the threat is requested from the server it is made to appear different at the code level. This technique ensures that different versions of the threat are constantly being released whenever a user visits a site hosting the threat.

Detecting Virtual MachinesNewer versions of Bredolab are now utilizing techniques to determine whether they are executing within a virtual environment. This can be done by searching for the following files:

%System%\drivers\hgfs.sys

%System%\drivers\vmhgfs.sys

%System%\drivers\prleth.sys

It also checks for the string "VBOX" in the following registry subkey:
HKEY_LOCAL_MACHINE\HARDWARE\Description\System\SystemBiosVersion

Each of the above indicators generally confirm the presence of a virtual environment, which may mean that the threat is being executed and analyzed within the virtual environment. If this is the case, then it is likely that the Trojan is being analyzed by an antivirus software engineer and it is not being run on a computer that it will be able to manipulate for its own intentions. Therefore, if the Trojan manages to detect that it is being executed within a virtual environment, it causes the computer to crash by simulating the termination of a system critical process thereby attempting to prevent any possible analysis of the threat.

Other protection methodsAnother technique that the threat uses to avoid detection is by cleaning all possible hooks on usermode and kernelmode functions. It then injects itself into either the explorer.exe or svchost.exe process. By doing this, the threat poses as a legitimate process and attempts to continue executing undetected.

Bredolab also uses a "forced exception" technique, whereby the threat purposefully causes an exception to occur in its code. This can be used to determine whether it is executing in a debugging environment. If it is in a debugging, it quits. Otherwise, it continues its execution.

Similarly, "dummy" (do-nothing) instructions are also used to mislead signature-based detections.

Bredolab v's ZbotA new variant of Bredolab has been observed disabling the Zbot family of Trojans. The Bredolab sample searches for a list of file names known to be associated with Zbot and moves them to another location, thereby disabling it. It is not doing this in a benevolent way as Bredolab is equally as malicious as the Zbot family. In fact, the reason for doing it is more than likely because Zbot is preventing Bredolab from dominating control of the compromised computer.

4. ADDITIONAL INFORMATIONFor more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.

Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.

Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.

Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.

If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.